What is Kubernetes RBAC?

Kubernetes RBAC (Role-Based Access Control) regulates access to Kubernetes API resources based on roles assigned to users, groups, or service accounts. Core RBAC objects: (1) Role: namespaced — defines allowed actions (verbs) on resources within a namespace: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: production name: pod-reader rules: - apiGroups: [""] # "" = core API group resources: ["pods", "pods/log"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list"]; (2) ClusterRole: cluster-wide — same as Role but non-namespaced. For: cluster-wide resources (nodes, PV), cross-namespace access; (3) RoleBinding: binds a Role (or ClusterRole) to subjects (users, groups, serviceaccounts) within a namespace: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: production subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io - kind: ServiceAccount name: my-app namespace: production roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io; (4) ClusterRoleBinding: binds ClusterRole to subjects cluster-wide. Service accounts: identity for pods — auto-mounted at /var/run/secrets/kubernetes.io/serviceaccount/. Use RBAC to grant service accounts specific permissions (Secrets access, ConfigMap read, Pod list). kubectl auth can-i: kubectl auth can-i create pods --namespace production --as alice. Principle of Least Privilege: grant minimum required permissions.